WordPress has been providing a low cost platform for small businesses looking to succeed in internet markets since 2003. Hundreds of WordPress themes, plugins and widgets exist that provide average users with enterprise-level features for their business, particularly for eCommerce firms.  Yet despite the number of positive aspects, WordPress security (and particularly its eCommerce themes) has not had the same stellar reputation.

While WordPress provides the world a free web platform, its security record has been riddled with vulnerabilities.  In one example, a security hole allowed remote attackers to obtain sensitive information via an invalid upload request.  In another, multiple cross-site scripting (XSS) vulnerabilities were discovered, allowing arbitrary HTML injection into a user’s page.  While WordPress tends to be quick to resolve these and many other kinds of security issues, users of these plugins should be aware of the risks as well.  In reports from Network World, analysts claim that as many as 20% of the 50 most common WordPress plugins have major security flaws. They go on to say that seven out of ten of the most popular eCommerce plugins contain significant vulnerabilities. Oftentimes, these plugins are vulnerable to a range of issues, from SQL injection and XSS (cross-site scripting) issues to complex logic-bypass vulnerabilities.  This means that, even if you’re running a patched WordPress instance or secure eCommerce plugin, other insecure plugins may still put your site at risk.

As an open source application, there have been many WordPress plugins developed to make the life of the business owner a little easier. WooCommerce is a popular WordPress theme which allows the business owner to further tailor their web presence to their specific needs. According to WooCommerce, their platform has undergone a security audit, ensuring strong security standards. However, on July 19^th of this year, WooCommerce released a patch to fix a XSS vulnerability in version 2.0.12.  According to patch notes, an issue had been discovered that allowed script insertion attacks. This opened a hole for malicious users to “insert arbitrary HTML and script code [to] be executed in a user’s browser session.” Just a few months later, a similar exploit was discovered in a later version.  These vulnerabilities compromise the integrity of an eCommerce account and personal systems, leaving end-users open to a variety of client-side attacks.

Cart66 is another popular example of a WordPress theme that has had multiple security liabilities.  In September 2013, two vulnerabilities were discovered in version 1.5.1.14 that created massive security holes for the theme. The first was a CSRF (cross-site request forgery) vulnerability, which could compromise the integrity of a victim Cart66 site.  If a WordPress administrator neglected to log out of his account and clicked on a link hosting malicious code, the attacker could inject or modify a product to the victim site.

While the WordPress platform, themes, and plugins tend to be cheap and simple to configure compared to custom-built sites, many of these modules are vulnerable to attack.  WordPress security vulnerabilities such as these can be identified and mitigated with our Web Application Penetration Testing service.  If your small business uses WordPress and its eCommerce plugins, ensure that your site is secure and consult with Rhino Security Labs.